Microsoft revealed Vulnerability CVE-2021-42306 in Microsoft Azure AD

[German]Microsoft has issued a security alert as of November 17, 2021, disclosing a vulnerability in Microsoft Azure AD. This allows information to be retrieved from the Microsoft Azure Actice Directory (AD).


I was alerted to the issue by Microsoft via email in a security bulletin. The vulnerability CVE-2021-42306 is rated as important (CVSS score of 8.1).

Title: Microsoft Security Update Revisions
Issued: November 17, 2021


The following CVE has been published to the Security Update Guide.
* CVE-2021-42306

CVE-2021-42306 | Azure Active Directory Information Disclosure Vulnerability
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: November 17, 2021
– Updated: N/A
– Aggregate CVE Severity Rating: Important


Vulnerability CVE-2021-42306 allows information disclosure and occurs when a user or application uploads unprotected private key data as part of an keyCredential authentication certificate to an Azure AD application or service principal (which is not recommended). This vulnerability allows a user or service in the application read access tenant to read private key data added to the applications.

The vulnerability in Azure AD has been fixed by preventing the disclosure of private key values added to the application. Microsoft has identified the services that could cause this vulnerability and the actions customers should take to protect themselve.

Running Automation accounts created between 10/15/2020 and 10/15/2021 with a self-signed Azure Automation certificate and not renewed are affected. Regardless, customers using their own certificates could be affected. This is true regardless of the certificate renewal date. To identify and remediate affected Azure AD applications associated with affected executing accounts, please navigate to this [link to Github repo]. In addition, Azure Automation supports managed identities (GA announced in October 2021). Migrating from executing accounts to managed identities mitigates this issue. 

Microsoft specifies other affected services related to CVE-2021-42306,but writes that exploitation is unlikely. Security researchers at NetSPI, which specializes in enterprise penetration testing and identified the vulnerability, write here that an attacker could exploit the flaw to elevate the privileges to contribute to any subscription with an automation account and access resources in the affected subscriptions. Security Week has published a summary article on the topic.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *